Small Businesses Hacked
Interesting little story at Bloomberg with all the ingredients: Worms, theft, wire transfers, insensitive banks, and mysterious international fraudsters.
http://www.bloomberg.com/news/2011-0...indemnify.html |
A PR campaign by US secret police?
That is an interesting news story, and the authors make some valid points.
But I'd like to put it in perspective. I follow the comp-security/privacy news very closely, so I can often spot trends others might miss. In recent weeks I've seen quite a few US-centric news stories thumping on these themes:
What is behind the news stories harping on the common themes I listed above? Well, the US spooks are campaigning for public support for their request to the US Congress for the "legal authority" to DPI anyone's traffic without having to give anyone a reason for intercepting email/VOIP/financial-transactions (which is allegedly what they have been doing illegally for almost a decade). One clue that the story you cited is part of their PR campaign is this excerpt: Quote:
These issues affect persons living outside the US, because a large portion of the world's internet traffic passes at some point through the US, and the US spooks have long operated DPI boxes at the point where international traffic enters US controlled territory. Also, intelligence agencies in many other countries model their ambitions after those of the US spooks (but are generally even less able to actually pay for 24/7 universal population surveillance without creating huge budget deficits). My feeling about US three letter agencies is they should be all one thing or all the other. In particular
Furthermore, while the DPI boxes are expensive, the real hidden cost in this vast-expansion-of-domestic-spookery initiative appears to be the cost of the datacenters needed to analyze the vast torrents of data the US spooks are slurping up. To sort through this data, the secret police have been quietly building several huge datacenters around the USA, each drawing as much power as a city the size of Baltimore, MD. In order to roboinspect (and optionally store for later retrieval and/or human inspection) absolutely every packet which enters the US internet anywhere anytime--- which is their ultimate goal--- they will need many more. The total cost of the existing internet snooping appears to be upwards of 100 billion annually and is said to be by far the largest component of the combined US intelligence budget of some 150 billion annually and growing fast (could be 300 billion annually by 2015). The stories in this campaign never mention the cost, because in the current climate of fiscal austerity it obviously simply does not make sense to further expand the already huge US intelligence budget. And these datacenters also contribute to global warming, which is another reason why in my opinion, US lawmakers should be asking some very tough questions about whether the US should really be in the business of spying 24/7 on absolutely everything anyone does on-line, especially because it is far from clear that this would even be effective in actually combatting cybercrime. Indeed, I think it is quite clear that the real purpose of 24/7 universal population surveillance has nothing to do protecting small businesses from international cybercrime, but has everything to do with monitoring thought crime. The US executive is deeply worried that as the US continues to decline and its economy worsens, the US may experience political turmoil similar to that recently seen in countries like Egypt and Syria. It is also relevant that US/UK based companies which make these specialized multi GB/sec DPI boxes have also been selling them for years to the secret police of countries like Egypt, Syria, Libya... Exact same equipment designed for 24/7 universal surveillance, for exactly the same purpose: oppression. In my view, if you really want to combat cybercrime, it would be more effective to increase computer security, and I suspect that the most cost effective way to do that is to start fining major US software vendors for security blunders which cost more than a certain threshold. Then and only then will they finally start building in security from the start of each software project. Also, in my view, a major part of the problem for US small businesses is that they have no friends in the struggle against cybercrime, because the US FBI and its partners appear to have morphed into law-breaking agencies, which means they cannot be trusted. Also, they appear to have adopted the maxim that everyone is a suspect all the time, which is typical of counter-intelligence agencies but in my view is utterly inappropriate for a law enforcement agency. It follows, I think, that if you believe, as I do, in the rule of law, and the principle that all persons should be equal before the law, then we cannot cooperate with lawbreaking agencies. Another major issue which the stories in this PR campaign never mention is that all this domestic spookery requires not only a vast data processing capability but also a vast army of human "criminal intelligence analysts", numbering in the millions, each granted (it is said) full access to the geolocation, phone records, utility records, property records, credit records, banking records, local/interstate/international travel records, search records, voice mail, email, social media user accounts, religious affiliations, and medical records of anyone they suspect for any reason. And when it was revealed that the FBI was failing to properly enforce what little oversight mechanisms it had created to try to ensure that this army of spooks does not abuse their power, the response of the FBI was to eliminate any attempt at oversight. And its even worse that that: a large portion of this army of domestic cyberspooks consists of contract employees working for private spycos hired to provide "CIAs" to state and local fusion centers inside the US. Indeed, the FBI appears to have outsourced to private companies many of its most objectionable domestic espionage activities, paying them large sums in return for having them assume the legal liabilities if they are caught and brought to justice. Where might this all lead? I point to the examples of countries such as Russia and China, where there is endemic corruption in the government and, it is said, extensive cooperation between organized crime and intelligence operations. At the very least, the governments of these countries appear to often turn a blind eye to spamming and cybercrime operations targeting citizens of their rivals on the international stage. I would have to recommend to small business people that they not even report problems to US CERT, FBI, etc., but instead adopt open source software and come to forums like this for security advice, as a stop-gap measure until better measures are available. Because to reform the FBI, Americans will need to boycott the FBI. And if you want to prevent political turmoil inside the US, the best way to do that is to provide good government at a cost the US can afford. Further vast expansions in the US secret police budget runs contrary to such a common sense strategy. I cannot claim that there any easy solutions to the problem of cybercrime. Only the US spooks do that, when they imply (without presenting any real evidence) that if they are only given the legal authority and equipment they need to spy 24/7 on absolutely everything everyone does on-line, without any need to seek any warrants and without any oversight (which would add still more to the cyber-budget), they can eradicate cybercrime, terrorism, radicalism, nonconformism, atheism... |
Today security = surveillance. This was not the case some time ago tho. Don't worry tho, there's nothing you can do, just accept your doom.
|
How to verify my claims
Thanks for reading my little essay!
Quote:
I feel that I can support all the claims I have made in this thread, but providing links would be a lot of work and in the past, my lists of links have been summarily deleted. But here are a few to get you started, if you are interested in trying to see whether or not my claims are accurate and documented by documents obtained under US FOIA and from leaks of documents which have been admitted to be genuine:
Call me a meddler, but IMO, in their own best interests, Americans should strenuously resist every attempt of the US secret police to make the US look even less like the nation envisioned in the US Constitution and even more like these countries:
http://www.opennet.net/west-censorin...sors-2010-2011 Now look to see which companies make DPI boxes and where they maintain overseas offices. Don't take my word for it, see for yourself! Some other countries where privacy, civil-rights, and ultimately democracy itself are under assault:
Quote:
So I hope you will reconsider your defeatist attitude and consider joining an organization such as the ACLU. |
I know one blogger who follows the cyberwar hype from a standpoint of pointing out the hype. (I know there are others, but this is one I stumbled on), George Smith of the Dick Destiny Blog.
http://dickdestiny.com/blog1/ I have to be all blame-the-victim, but I think a lot of folks who use computers fail to educate themselves on even the basics of security. Also, I think the news media make themselves easy pickings for the hype, because by-and-large they don't have a clue about networks and how they work. I second the ACLU. For all they sometimes defend lousy people, they consistently defend good principles and good law. |
When I have a paying job, I will donate to those organizations in the hope that they will help slow the inevitable. I do not believe, however, that they can stop the inevitable. I'm quite sure they've been planning this for some time, and it's not just in the US, it is global. Just look around and see that the same measures are being applied globally, and the same words and notions are used. This is the work of an organization with god-like powers, I very much doubt they can be defeated. This is the dawn of the NWO.
|
The US Surveillance State will defeat itself, but better to dismantle before that happens
@ frankbell:
I also (sometimes) read Dick Destiny Blog! Bruce Schneier has also often debunked cyberwar hype in his various writings, including I think his own blog. Quote:
I find that when discussing computer security/privacy issues, it is difficult to maintain the appearance of self-consistency without going on and on about fine distinctions, because these issues are so complicated, in part because the underlying technological issues are often both unfamiliar and complex. So in the interests of brevity I will not attempt to explain why I don't think it is really inconsistent for me to say:
Quote:
@ H_TeXMeX_H: Quote:
Let me reiterate two points:
|
I mostly agree, but I don't think you're seeing the bigger picture. The s*** is gonna hit the fan soon, so maybe then you will see. I'm sure we can agree that the future includes: extreme poverty, oppression, surveillance, human rights abuse, war, and basically a new dark age. I saw it coming several years ago, and it is getting close.
|
Quote:
|
You said so much that I will not try to respond to it all.
I didn't mean to imply that a home "sysadmin" needs to understand the finer points of security. I was thinking more in terms of "don't do stupid stuff," such as click on one of those links that tells you are infected and have to install some kind of ransomware (it's run watching them pretend to scan a Linux box and tell you that C:\ is infected), don't go on the internet without a well-reputed anti-virus and firewall, investigate error messages before you panic, and don't believe emails that tell you to log click the link to log into your bank account to validate your information. That is hardly rocket-science. I will hold up my girlfriend as an example, because she's a fairly typical user. She surfs the web a little, plays some online games (being female, most word games), emails, and does work. She's atypical I guess to this extent--although she has a Facebook account, she seldom uses it and, when she does, it's mostly for chats with her sister in Hungary (she's a Hungarian who's father brought her out after the 1956 Revolution)--no Farmville. I periodically scan her computer with Adaware and Spybot; they have not yet turned up anything. AVG never finds anything. Why? Because she thinks before she clicks. |
Insecure behavior by persons who clearly know better
Quote:
I don't think we really disagree on anything, just are shifting the emphasis. Of course I agree that not clicking on probable phishing links, etc., is common sense, but would point out that variation within any human population larger than say 20 is much larger than variation between any populations. Some people are by no means dull but are very trusting by nature, and developmentally disabled adults use computers too. And I am sure we have all encountered organizations where well-educated users are officially advised to do something extremely stupid, by sysadmins who are, I guess, over their head. So:
So who can we blame? Well, I'm biased, but I'll name those short-sighted executives who wouldn't listen, who refused a decade ago to build security in from the ground floor. We took a system whose idea of security derived from the MIT computing lab and very quickly grew that into a system with three billion users, without fundamentally changing the security model. The result, predictably enough: chaos. Actually, there is an example of knowledgeable users being officially advised to do something really stupid, and doing it, right in front of us right here in this forum. When any of us surf here, we encounter a pane in the upper right corner which invites us to log in. We all know that username and password are transmitted in the clear, and that this is very easy to sniff by anyone who has a packet sniffer installed in any of dozens of places where they can access the right packet as it passes by. So logging into this forum violates every notion of secure user behavior, yet we all do it, and very few of us even protest that this forum should use encryption to secure logins. Even better, secure all web transactions: https://www.httpsnow.org/. (OK, "secure" in scare quotes, because we all know that SSL is broken. But it would be better than what we have now, which is no security at all.) Many of us also share personal information in unencrypted posts or profile pages, which can be hazardous. particularly for sysadmins and persons expressing views which some governments might wish to repress. See
So maybe we should also blame social media magnates, and even ourselves (as knowlegeable users who accept insecure logins). EDIT: oh, fiddlesticks! I was one of the LQ users who complained, and I just learned by accident that LQ did implement SSL here: try Code:
https://www.linuxquestions.org/questions/login.php Quote:
P.S.: my attempt to post this encountered what may have been a hijack attempt. EDIT: that probably would not have happened had I known that LQ apparently does now support https. Has anyone tested this to make sure it is working properly? |
I dont hink its just about money myself. Politicians and the #$^#$ scum who pay them (opps, 'donate') see the internet as a way of getting a level of surveillance on the general population that even the old DDR (east german) government could only dream of, at a fraction of the cost.
Quote:
If you care anything about australian politics, a good place to see a different 'prong' of this attack is ""Australians for Honest Politics Trust" To cut a long story short, one the pollies (who is now "leader of the opposition") from the 2 main political parties created a slush fund for attacking a fairly new party, "One Nation". I persoanlly cant stand One Nation, they are mostly a bunch of right wing racists, but the way the attack happened was VERY dirty. Some links here- http://www.smh.com.au/specials/abbottaffair/ Quote:
http://www.youtube.com/watch?v=_CWBTL33MpA I didnt have you pegged an a 'we cant do anything, just give up' emo H_TeXMeX_H. If we allow this to happen, there is nobody to blame but ourselves. "Better die on your feet than to live on your knees". |
Quote:
What does the future have in store for us? The US secret police are currently drooling in glee over the prospect of software which supposedly will know that you might be about to commit thought crime before you yourself are aware of it. And they are salivating over nano spydrones the size of flies. And, unfortunately, much much more. Amazing how prescient Orwell really was--- I urge everyone to re-read his novel. Operatives of the US Surveillance State appear to have read it, asking "great idea! how can we implement it?" Quote:
I have found that a concern for privacy/human rights inevitably draws one into national debates in nations ranging from Australia to Thailand. Of course, some countries don't even pretend to allow discussion of political issues at all, much less controversial issues, like Zimbabwe. As an example, I have followed the controversy in Australia over transit cards. Did you know that the databases which track the movements of transit riders in Brisbane and other cities is apparently operated by a US spyco? Specfically, while current and accurate information is not easily obtained, as of a few year ago, when I researched this issue, I believe that the Brisbane database, and other aspects of the fare collection system, is maintained by Cubic Transportation Systems Inc. (CTS), a San Diego based subsidiary of US defense giant Cubic Corp. In 2011, Cubic was the 75th largest US Federal contractor with some 278 million annually in contracts. It claims to be Quote:
Quote:
It can be a bit difficult to follow the trail of who runs surveillance in transit systems, since as you know transit conglomerates tend to be public-private partnerships which continually change their names, and several transitcard giants have reorganized due in part to bad publicity and in part to financial losses due to their many failures worldwide to even get the fares paid. Also, the public-private partnerships are often secretive about what companies they work with, and often harrass security researchers who uncover serious shortcomings. To name just one recent example:
However, as you probably know, Cubic stepped in when one Australian transit card project suffered an epic fail and the previous company was fired. The name of the villain in the story by Elinor Mills, Trans Link Systems, may ring a bell with some Aussies. The CTS blurb mentions "call centre services" (that's outsourcing to you and I!). One reason why so many call centers use VOIP is allegedly that the content of incoming calls is easier for companies like Cubic to digitize, analyze (spectrographically and also for keywords) and serve up to data centers operated by intelligence agencies. Apparently it is easier for them to claim they are doing this legally without a warrant if they use VOIP. But if the population knew what is going on, I suspect that a popular outcry would induce national legislatures to try to put a stop to it. In threads like this LQ thread, I have tried to make the Linux community aware of the far-reaching significance of the HBGary leaks. In one of the emails which Aaron Barr sent which was leaked in HBGary breach, he expressed jocose regret that he had not yet been able to locate the "missile coordinates" of Anonymous members. This remark may seem less amusing if you know that before joining HBGary, Barr worked at Northrup Grumman, which manufactures a number of drones for the US military, including
Something to think about when you watch recent footage from the mean streets of Syria. Earlier in the thread, I said that I believe that the news story cited in one of many which originate in a publicity campaign by the U.S. Surveillance State, which wishes to further expand its warrantless intrusions into the private lives of all US persons (and everyone else). A concurrent campaign consists of stories offering a feel-good profile of a recruitment drive at DEFCON (as I write, being held in Las Vegas, Nevada, USA). I'd urge any DEFCON attendees approached by the NSA to carefully consider the implications of the fact that joining the bad guys (the secret police) is like joining the Mafia: if things don't work out the way you hoped, you can't just quit and go back to working for the good guys (the independent security researchers, excluding informants). And depending upon how deeply you get drawn into activities like assasinations which violate international law, you could one day wind up in the dock in the International Criminal Court in the Hague. Something to think about: who would want to be cellmates with Ratko Mladic? |
Peufelon, I see no disagreement between us at all. I was speaking more about sensible user practices; you were speaking about sensible network practices. We need both. And I commend your attempts to bring more public awareness to these issue. You might find this podcast interesting.
Your point about social networks is well-made. Persons develop a personal relationship with their computers and forget that the internet is a public place. Any information you place there should be information you expect may become public; it should not be anything you would not mind being public. I have posted a lot of pictures on Facebook. None of them are of my family or friends--it is not my place to share their stuff--most of my pix are of scenery. I was trading emails today with a friend of mine who found a bogus charge for some SMS service slammed on her cell phone bill. Her cell phone provider promptly revoked the charge without question and, in the course of the conversation, told her that one of the most unsafe things persons can do is put their cell phone numbers on Facebook (which she doesn't, by the way). The phone slammers cruise FB and grab the numbers, then slam the accounts. By the way, Peufelon, check my profile. You might recognize my website. |
Quote:
I don't really see much hope, because I see how people are. They are sheep. I can't imagine being able to convince the sheep that their master will have them on the chopping block soon, and for them to do something or help out. I think all they will say is their usual 'baaaaaa a a aa' |
All times are GMT -5. The time now is 09:17 PM. |